How to remember passwords (and which ones you should)

At the risk of repeating myself (see What you dont know about passwords might hurt you), the best way to ensure that you never forget your passwords is to offload the task of remembering to a password manager such as 1Password (; $40). For most passwords, most people, and most of the time, thats the only trick youll need. However, no matter what tools you use, youll have to memorize at least a few passwords. Because those are among your most important, you dont want to trade security for memorability. Here a few tips that can help you make sure your brain doesnt betray you.

Determine which passwords you must memorize

I have no idea what 99 percent of my passwords are. Honestly, none whatsoever. Theyre long strings of random computer-generated characters, and Ive never even glanced at most of them. When I need to use them, I let my password manager fill them in for me or, if that wont work for some reason, I copy and paste them. After all, its no harder for an app to enter a 14-character random password than for me to type in the word baseball, so I figure I have nothing to lose by going the crazy-secure route.

However, one password Ive memorized cold is the password that unlocks all the other passwords stored in my password manager. Thats a pretty important one. Ive also memorized my OS X user account password, because I enter it many times a dayand since I use OS Xs FileVault, I need that password to start up my Mac before I have access to any automated tools. Since Im frequently prompted to enter the passwords for my iCloud, Gmail, and Dropbox accounts (often in situations where it would be awkward to copy and paste), Ive memorized those too.

Depending on your habits and needs, your list might be different from mine, but most people can get by with no more than half a dozen passwords committed to memory. Considering that you may have many hundreds of passwords overall, memorizing five or six is a pretty minor task.

Choose a path to high entropy

Once you know which passwords you need to memorize, your next job is to choose passwords that are strong enough to defeat automated hacking attempts yet memorable enough that you can produce them instantlyand, for bonus points, they should be convenient to type.

Undoubtedly you know the basic drill by now. All things being equal, longer passwords are better than shorter ones; random passwords are better than those that follow a pattern; and the best passwords combine upper- and lowercase letters, numbers, and special symbols such as punctuation. It turns out, though, that you dont necessarily need all those qualities in a password to make it securefor example, a long but simple password can be just as secure as a short but complex one. This is provable through a concept called entropy, which refers to a mathematical approximation of how difficult, on average, any given password is to guess.

Depending on how you do the calculation, the passwords "7H#e2U&dY4" (ten random characters) and "blanketsensory" (14 nonrandom characters) are approximately equal in strength, but the latter is much easier to remember and type. Even though it contains only lowercase letters and blanket and sensory are both ordinary English words, the passwords entropy is high enough that a concerted brute-force attack would take days or weeks to crack it. The moral of the story (as brilliantly illustrated in this XKCD comic) is that when you have to memorize a password, a longer phrase composed of random words or syllables will make your life easier than a shorter string of entirely random individual characters.

If your memory is excellent and having to type the fewest possible characters is your biggest consideration, then go with a shorter random passwordbut remember that whereas short used to mean 8 or 9 characters, nowadays 12 or 14 are safer. Nevertheless, since most people can type long words faster than short bursts of random characters, you might find a 25-character phrase more convenient in daily use than a 12-character string of nonsense.

Let a computer pick your passwords

Ive sometimes advised people to use mnemonic cues to remember passwords. For example, taking a sentence such as I once drank three cups of coffee before realizing it was decaf and using just the first letter of each word, with a capital and a number thrown in, creates Iod3cocbriwda reasonably strong password. But because humans have a tendency to unconsciously introduce patterns into passwords produced through these means (which can increase the ease of guessing a password), I prefer to let a computer create a selection of random (but memorable) passwords, and then choose one that sounds good. You have numerous ways to do this.

If you open Keychain Access on your Mac (in /Applications/Utilities), choose File > New Password Item, and then click the key icon next to the Password field, youll see a Password Assistant window. In this window, choose Memorable from the Type pop-up menu and select a password length. The utility will produce a password consisting of a combination of words, numbers, and symbols (such as nineteenth8590.middlingly or baiting325@certifications. Dont like the first suggestion that appears? Click the pop-up menu to see more, or choose More Suggestions from that menu to get another list.

1Passwords password generator also has a mode that creates a series of pronounceable syllables (not necessarily English words), with or without intervening digits or hyphenssuch as "liegnicroci", "lieg7ni2croc5i", or "lieg-ni-croc-i". To generate them in the 1Password app, choose File > New Item > New Password, click Pronounceable, and select the separator and length you prefer. Click the Refresh button to see another password choice. (The directions are similar when you're using 1Passwords browser extensions, although the layout and options are slightly different.)

Have a backup plan (or two)

If, despite choosing memorable or pronounceable options for your top few passwords, youre afraid you might forget them, writing them down on paper is not a terrible ideaas long as you keep that paper in a safe place. Obviously, a sticky note on your computer is not very safe, but your wallet might be an excellent location (and is precisely the recommendation of security expert Bruce Schneier). If youre especially paranoid, you might obfuscate them in some way, such as swapping the first and last charactersbut of course, if you forget how you altered them, youve done yourself a disservice.

Finally, consider giving a copy of that paper to your spouse or a trusted friend, or putting it in a safe deposit box. If something were to happen to you, and your family or business associates urgently needed access to your data, the security of having your passwords stored only in your head would work against you. Just be sure that whoever holds your passwords keeps them as safe as you do yourself.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.